Windows 10 Can Detect PowerShell Attacks: Microsoft

Windows 10 can detect suspicious PowerShell activities, code injection, and malicious documents, including attacks where a process connects to a web server and starts dropping and launching an app, Microsoft says.

The functionality is integrated into Defender Advanced Threat Protection (Windows Defender ATP), which was released along Windows 10 Creators Update (and built into the core of Windows 10 Enterprise). The security software is also set to receive a series of enhancements in the Fall Creators Update. Courtesy of endpoint sensors built into Windows 10, along with machine learning technologies, Windows Defender ATP relies on a generic stream of behavioral events to improve detection, the tech giant says.

According to Microsoft, a process’ behavior is defined “not only by its own actions but also by the actions of descendant processes and other related processes,” and many of the actions associated with process execution are usually performed by other processes (injected with malicious code) when malware is involved. Thus, Windows Defender ATP incorporates process behavior trees, being able to analyze the actions and behaviors of a process and its descendants, related either through process creation or memory injection.

The use of machine learning helps Windows Defender ATP “generically detect all kinds of advanced attack methods,” and the same technologies are also effective in detecting attacks involving PowerShell scripts, code injection, and polymorphic documents that launch malicious code, the company explains in a blog post.

One of the malicious uses of PowerShell involves performing tasks without introducing malicious binaries, something that signature-based sensors can detect. Because payloads stored in scripts are easier to maintain and modify, PowerShell can prove attractive to malware creators. Leveraging machine learning, Windows Defender ATP can detect suspicious PowerShell behaviors, including those abused in fileless attacks, Microsoft claims.

To remain stealthy, malware such as Kovter also uses in-memory attack methods, thus evading signature-based scanners. For persistency in memory, PowerShell scripts that inject malicious code to other processes are used. Last month, however, Microsoft explained how Windows 10 enhancements provide protections against code injection attacks, including those used by Kovter and Dridex.

The company now says that documents with malicious macros that trigger suspicious PowerShell and Microsoft Word behaviors are also on Windows Defender ATP’s radar. “ML detects this attack method based on behavior signals available only at the time of execution. In contrast, most signature-based technologies are unable to stop this method, which uses the normal processes PowerShell.exe and Winword.exe. Documents themselves are also generally easy to alter for polymorphism,” Microsoft explains.

Windows 10, the tech giant says, can also detect suspicious documents used by Chanitor (also known as Hancitor). All of these security improvements are possible because the company’s tools take advantage of behavior data, collected via sensors built into Windows 10 and converted by Windows Defender ATP into sets of components or features fed to machine learning technologies like process behavior trees.

“The upcoming Fall Creators Update will integrate Windows Defender ATP closely with the rest of the Windows threat protection stack, transforming it into a comprehensive pre- and post-breach protection solution that enables enterprise customers to not only detect and respond to threats on their devices and networks but also to deliver proactive protection,” Microsoft notes.